- Web injection/overlay attacks
- Theft of cryptocurrency wallets (Binance, Trust)
- Theft of MFA/2FA codes
- Theft of cookies
- Theft of SMS messages
- The ability to by-pass Google two-step authentication
- VNC access to the device and screen capturing
- The ability to run and delete applications on demand
- The ability to send SMS messages on demand
- Information gathering from the device, including its IP, AndroidID, model, language, installed application list, screen and locked states, and reporting on the malware’s own capabilities
- Extensive logging of any successful or failed operations, phone activities (calls, SMS) and any errors
MaliBot is most obviously a threat to customers of Spanish and Italian banks, but we can expect a broader range of targets to be added to the app as time goes on. In addition, the versatility of the malware and the control it gives attackers over the device mean that it could, in principle, be used for a wider range of attacks than stealing credentials and cryptocurrency. In fact, any application which makes use of WebView is liable to having the users’ credentials and cookies stolen.
Full article on MaliBot Android malware
Read the full F5 Labs article on the MaliBot Android malware to get the list of indicators of compromise (IoCs).
Watch a video review of MaliBot Android malware.